A high-profile financial fraud case involving $21,013,562.31 at the Bank of Uganda (BoU) has exposed serious vulnerabilities in the country’s financial management system.
The fraud, executed through the Integrated Financial Management System (IFMS), resulted in the arrest and prosecution of officials from the ministry of Finance, including the accountant general. The scandal drew national attention, prompting President Yoweri Museveni and security agencies to intervene.
In response, the director of the Criminal Investigations Directorate (CID) issued a formal request on October 24, 2024, urging the auditor general to conduct a forensic and IT audit. This audit was aimed at supporting police investigations into allegations of abuse of office, embezzlement, financial mismanagement, and money laundering.
The fraudulent scheme involved two separate transactions, where funds meant for loan repayments to the International Development Association (IDA) and the African Development Fund (ADF) were illegally diverted. The ministry of Finance, Planning, and Economic Development (MoFPED), which oversees the IFMS, and the Bank of Uganda, which processes payments, both came under scrutiny for lapses in oversight and internal controls.
Following a preliminary review of the ministry of Finance and BoU records, the Auditor general launched a forensic investigation to determine the extent of the fraud, the methods used to divert public funds, and the individuals responsible.
The investigation sought to uncover gaps in financial security, assess the effectiveness of existing safeguards, and provide recommendations to prevent future financial misconduct. This case has raised critical concerns regarding Uganda’s financial governance, prompting calls for stricter regulatory oversight, enhanced cybersecurity measures, and increased accountability in public financial institutions.
How the fraud was executed
The first fraudulent transaction occurred on September 10, 2024, when a legitimate payment of $6,134,137.75 was initiated through the IFMS to settle an outstanding loan principal and interest owed to the International Development Association (IDA). However, before the payment was processed, transaction details were altered within the ministry of Finance’s application server, changing the payee from IDA to “Roadway Tokyo Japan.”
With internal security controls failing to detect the modification, the fraudulent payment was processed by BoU on September 12, 2024, and the funds were externalized. Despite efforts to recover the stolen money, the amount remains unaccounted for, resulting in a permanent financial loss of $6.1 million.
A second fraudulent transaction followed on September 26, 2024, when a legitimate payment of $8,596,824.26, intended for loan repayments to the African Development Fund (ADF), was also manipulated at the ministry of Finance’s application server. The payee details were altered, redirecting the payment to “MJS International London.”
The altered transaction was submitted to BoU, which processed it as a routine payment and externalized the funds two days later. This second fraud raised further questions about oversight failures within both the ministry of Finance and BoU, as no red flags were raised despite the similar fraudulent pattern.
Weak internal controls and recovery efforts
The investigation has highlighted serious vulnerabilities in Uganda’s financial oversight mechanisms, particularly in monitoring high-value transactions and securing government payment systems. The ability to alter payment details within IFMS before transactions were encrypted and transmitted to BoU points to significant lapses in cybersecurity and internal accountability.
Despite these weaknesses, authorities have recovered a portion of the stolen funds. While the $6.1 million IDA payment remains unrecovered, the government successfully reclaimed $8,205,103.81 from the fraudulent ADF transaction, reducing total financial losses.
Verification of the loan and oversight failures
The auditor general’s report confirmed that the loan repayment to IDA was legitimate, consisting of $4,169,569.42 in principal and $1,964,568.33 in interest, due in September 2024. Upon inquiry, the World Bank affirmed that IDA tracks loan repayments using borrower-provided SWIFT details, making it possible to trace transactions.
Despite the legitimacy of the transaction, the ministry of Finance failed to conduct key verification steps that could have detected the fraudulent diversion earlier. The report specifically criticized Mubarak Nansamba, the acting assistant commissioner of Treasury Services, for not requesting a SWIFT message from BoU after the transaction was processed.
This oversight delayed the detection of the fraud, allowing the funds to be successfully externalized to a fraudulent entity.
Initiation and processing of the fraudulent transaction
An analysis of the Integrated Financial Management System (IFMS), which is hosted at the ministry of Finance, revealed that the invoice for the payment was created on September 4, 2024, and approved on September 9, 2024, by Mubarak Nansamba.
The payment was processed as electronic funds transfer (EFT) No. 14380401, included in payment file 997201241009.EXT, and formatted for transmission on September 10, 2024, the report notes. To maintain security, the IFMS encrypts payment files using BoU’s public keys and the ministry of Finance’s private keys.
This encryption process ensures that only BoU can decrypt the file, while the ministry of Finance retains verifiable ownership of the transaction. On September 10, 2024, the encrypted payment file (997201241999.ext.gpg)—containing the $6,134,137.75 intended for IDA loan repayment—was placed on the staging server at the ministry of Finance.
The file was automatically picked up and transmitted via a leased line to BoU’s managed file transfer server (MFTS).
Final processing at the Bank of Uganda
Upon receiving the encrypted file, BoU’s MFTS downloaded the payment file from the ministry of Finance’s staging server. A file copy was backed up on the same server before being decrypted into plain text and transferred to BoU’s bbsuser directory. The transaction was then downloaded onto the Uganda Banking System (BBS), with a copy archived for record-keeping.
On the same day, Leona Faith Kwikiriza, a senior system analyst at the ministry of Finance, sent an email to BoU confirming the transaction. However, at some point before final processing, the payee details were altered, redirecting the funds to an unauthorized recipient.
The fraudulent modifications went undetected, allowing the $6.1 million to be externalized without raising alarms.
Implications for Uganda financial oversight
This incident has highlighted significant gaps in Uganda’s financial security framework, particularly in payment verification and digital transaction oversight. The failure to detect fraud before externalization of funds suggests that internal controls were either bypassed or inadequate to prevent manipulation.
How the fraudulent transaction was processed
The electronic funds transfer (EFT) process within BoU’s Banking System (BBS) begins when an unencrypted transaction file from the Managed File Transfer System (MFTS) is deposited into a staging directory. At this stage, the system is designed to log the transaction and verify its accuracy by checking its format, content and payment details.
However, upon reviewing the BBS transaction logs, the auditor general discovered a critical discrepancy. The transaction, originally intended for the International Development Association (IDA) in Washington, had been altered before processing.
Instead of IDA, the funds were redirected from the Accountant General’s Office to Roadway Co. Ltd, Tokyo, under the description: “Payment for recycling plant systems and machinery.”
According to the auditor general’s report, the same EFT number that was originally linked to a loan repayment had been manipulated to pay a fraudulent company in Tokyo. This raised serious concerns about internal controls and verification procedures within BoU’s payment system, as the fraudulent transaction passed through multiple check-points without detection.
How the payment details were manipulated
Further investigation revealed that upon decrypting the transaction files at both BoU and the ministry of Finance’s IFMS, the results were identical. However, forensic analysis confirmed that the encrypted file sent from the ministry of Finance had already been altered, listing Roadway Co. Ltd, Tokyo as the payee, with a fabricated description for a recycling equipment purchase.
System logs from the ministry of Finance’s IFMS application server revealed that during the encryption process, a plain text file containing transaction details had been left exposed.
This security lapse allowed the perpetrator to alter the payment details before encryption, making the transaction appear legitimate. Once encrypted, the manipulated file was transmitted to BoU, where it was processed without suspicion.
This breach of security enabled the fraudulent diversion of government funds, bypassing standard verification measures and exposing serious weaknesses in Uganda’s financial security infrastructure.
The role of insider manipulation
The investigation identified Tony Yawe, a senior IT officer at the ministry of Finance, as a key suspect in executing the fraud. System change logs showed that, between September 9 to 11, 2024, modifications were carried out using the user account “tyawe”, which belonged to Yawe.
The logs revealed that on September 9, 2024, Yawe altered critical system scripts on the IFMS application host server, granting himself full administrative control while restricting access for other users. He then renamed and relocated encryption scripts, ensuring that all future EFT transactions processed through the system would contain manipulated payment details.
On September 10, 2024, Yawe further modified BoU-related transaction files, giving himself full control over key financial data files. The final step of the fraud occurred on September 11, 2024, when he altered the payment file BOU_NW_10092024.dat, replacing the legitimate description “Interest Payment for IDA 1” with “Recycling Plant Systems and Machinery”.
This manipulation was intended to cover up the fraudulent transaction during reconciliation processes, ensuring that BoU’s systems would not flag the altered payment details.
Firewall breach and Yawe’s defense
During his interrogation by investigators, Yawe confirmed ownership of the “tyawe” account but denied involvement in executing the fraudulent transaction. He claimed that on September 8, 2024, he detected unusual server access that bypassed firewall controls and left no trace.
However, forensic examination of firewall logs, which record both internal and external traffic, found no evidence of unauthorized external access. Despite this, Yawe denied knowledge of the commands executed under his account on September 9, 10 and 26, 2024.
He further argued that the log file detailing the fraudulent modifications appeared foreign, resembling a batch file that did not conform to the system’s standard logging structure. This defense was contradicted by digital forensics, which confirmed that the commands were executed from an internal ministry of Finance user account rather than through an external hack.
How the fraud was executed
A review of the Debt Management and Financial Analysis System (DMFAS) confirmed that 26 loans from the African Development Fund (ADF) were scheduled for repayment on October 1, 2024. The outstanding balance consisted of $5,698,895.35 in principal and $2,897,928.91 in interest.
On September 23, 2024, an invoice for the payment was created in the Integrated Financial Management System (IFMS) by a user identified as “MKICONCO,” an accountant at the ministry of Finance. The following day, Mubarak Nasamba, the acting assistant commissioner of Treasury Services, approved the transaction.
The payment was then processed under electronic funds transfer (EFT) No. 14547957 on September 25, 2024, and was included in payment file 997201242609.EXT, formatted for transmission on September 26, 2024.
Encryption and transmission to BOU
As per protocol, the IFMS encrypts payment files using BoU’s public keys and the ministry of Finance’s private keys, ensuring that only BoU can decrypt and process the file. On September 26, 2024, both a plain text EFT file (997201242609.EXT) and its encrypted version (997201242609.EXT.gpg) were generated and stored on the IFMS application server.
The files contained nine transactions, including the ADF loan repayment. After encryption, the files were transmitted through a secure line to the Bank of Uganda’s Managed File Transfer System (MFTS), where BoU’s servers automatically retrieved, backed up, decrypted and transferred the files to its internal Banking and Payment Systems (BBS).
Final manipulation and fraudulent payment
On September 26, 2024, Eriphaz Sebiyonga, a senior systems analyst at the ministry of Finance, emailed BoU confirming the external payment file (997201242609.EXT), stating that nine transactions totaling $12,913,674.30 had been transmitted for processing.
However, a forensic review by the auditor general revealed discrepancies in BoU’s processed payments. While the original EFT file indicated that the $8,596,824.26 was meant for ADF loan repayment in Abidjan, the BoU system records showed the same EFT number paying “MJS INTERNATIONAL, London,” referencing “AE300824-ZRS.”
According to the auditor general’s findings, the modifications to the transaction occurred before it was sent to BoU, confirming that the fraudulent alterations were made at the Accountant General’s Office before submission.
“I confirmed that the Accountant General’s Office sent an encrypted file in which the payee for the transaction was ‘MJS INTERNATIONAL, London,’ with the reference AE300824-ZRS. This confirms that the change in payment details was made at the Accountant General’s Office before the file was sent to BoU,” the auditor general reported.
Technical execution of the fraud
A forensic analysis of the IFMS system logs for September 25-26, 2024, revealed that critical modifications were executed under the user account “mkasiiku”, belonging to Mark Kasiiku, a data center consultant at the ministry of Finance.
The investigation found that Kasiiku made unauthorized changes to key system files, including modifying file permissions, moving encryption scripts, and replacing transaction details. He also deleted logs and system back-ups to cover his tracks.
Specifically, Kasiiku manipulated transaction scripts to redirect payments, altering the intended recipients of high-value transfers. He also relocated critical financial files from their original locations, disrupting standard verification processes and concealing fraudulent modifications.
To further evade detection, he replaced encryption files, ensuring that the altered transactions would pass verification checks without raising suspicion. In an effort to cover his tracks, he deleted system logs that recorded user login activities, making it difficult for investigators to trace unauthorized access and tampering.
Kasiiku’s defense and investigative findings
During interrogation by investigators, Kasiiku denied involvement in the fraudulent activities. He claimed that the transactions executed under his username occurred before his usual arrival at work (8:30am) and that he lacked remote access credentials to manipulate the system from outside the ministry of Finance premises.
However, further investigation revealed that upon receiving the payment invoice, BoU had sent a confirmation email to the ministry of Finance. A comparison of the files sent by BoU and those recorded in the ministry’s system uncovered a significant discrepancy.
• BoU’s records listed the payee as “MJS INTERNATIONAL, London,” referencing “AE300824-ZRS.”
• The ministry’s internal records still referenced the payment as “Uganda Principal and Interest Payment for African Development Fund (ADF).”
This discrepancy confirmed that the manipulation took place at the ministry of Finance before transmission to BoU.
Financial loss and recovery efforts
On November 14, 2024, a SWIFT message from Citibank New York confirmed the reversal of $8,205,103.81, which was credited back to the ministry of Finance’s account at BoU.
Despite this partial recovery, the fraudulent transaction resulted in a net financial loss of $391,720.45 to the government of Uganda, due to banking fees and exchange rate fluctuations incurred during the reversal process.
Another attempted fraudulent transaction
Further investigation revealed an attempted fraud involving $6,674,320.75, initially described as “Uganda principal and interest payment for IDA due January 15, 2025.”
This transaction was fraudulently redirected to an account in Sielska-Poznan, Poland, using the same loopholes as the previous fraudulent diversions.
However, the SWIFT messaging system detected a mismatch, as the payee was listed as IDA, but the bank details corresponded to an account in Poland, rather than Washington. This triggered an alert, leading to the transaction being flagged and rejected before funds could be externalized.
Conclusion and implications for Uganda’s financial oversight
The auditor general’s findings have exposed significant weaknesses in Uganda’s financial security infrastructure, particularly in digital transaction oversight, encryption security, and internal controls within the ministry of Finance and BoU.
While a portion of the stolen funds was recovered, the ease with which high-value transactions were manipulated raises serious concerns about system vulnerabilities and institutional accountability. This case has sparked urgent calls for financial reforms aimed at enhancing security and accountability in Uganda’s financial systems.
